Skillv5.3.0

ClawScan security

Dream Interpreter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 9:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's textual content and interpretation references look coherent for a dream-reading tool, but the runtime instructions expect browser-based image rendering and write to a hard-coded filesystem path without declaring required binaries, installs, or config paths — an inconsistency you should understand before installing.
Guidance: Before installing, consider the following: 1) The SKILL.md expects Playwright (or Pillow) and a headless browser to render Dream Card images, but the skill metadata does not declare these binaries or an install step — ask the author to provide an install spec or make rendering optional. 2) The instructions save images to a hard-coded path (/home/z/my-project/download/) — confirm where files will be written, that the path is writable, and whether you can configure it. 3) The skill will ask follow-up questions and may collect sensitive personal details in dreams; clarify how (and whether) user data and generated cards are stored, shared, or logged. 4) Because this is an instruction-only skill that may invoke local tools, verify the runtime has the needed libraries and that you trust the environment that will execute Playwright/browser automation. 5) If these mismatches bother you, request the developer to (a) declare required binaries/config paths, (b) provide safe defaults or an option to disable image rendering, and (c) document data handling and permissions. If the developer cannot clarify, treat installation cautiously.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (multi‑perspective dream interpreter) matches the included symbol reference files and interpretation guidance. Generating a text reading and an image Dream Card is reasonable for this purpose. However, the SKILL.md recommends using Playwright/HTML+CSS screenshotting for rendering images yet the metadata declares no required binaries or install steps; that mismatch suggests missing dependency declarations.
Instruction Scope: concernRuntime instructions explicitly instruct: build an HTML string, use Playwright headless browser automation, screenshot and save PNG files to /home/z/my-project/download/dream-card-[timestamp].png. Those are actionable system operations (browser automation + filesystem writes) but the skill metadata does not declare any required binaries, installs, or config paths. The SKILL.md also prescribes asking up to 3 follow-up questions (which may elicit potentially sensitive personal details) but does not document storage/sharing policies for user-provided content.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk in general. However the README prescribes using Playwright or Pillow to render images — both are external tools/libraries that may not exist in the runtime. Because no install mechanism or well-known release URLs are provided, the instructions are incomplete and could cause the agent to attempt to install or call unavailable tools at runtime.
Credentials: noteThe skill declares no required env vars or credentials, which is proportionate for a local interpretation/rendering tool. But it hard-codes a save directory (/home/z/my-project/download/) in the rendering instructions without declaring required config paths or asking the user for a writable output location — this is a mismatch that could lead to unexpected writes or failures.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges. There is no indication it modifies other skills or global agent settings. Autonomous invocation is allowed (platform default) but does not combine here with other red flags.